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RESPONSE AND AMENDMENT 



In response to the final Office action of October 18, 2005, please amend the above- 
identified application as follows: 



Amendments to the Claims are reflected in the listing of claims which begins on page 2 of this 
paper. 

Reniarks/Argaroeais begin on page 10 of this paper. 
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Attorasy Docket No. 26836,70! .201 
Application 09/640,606 
Response to 10/28/2005 Action • 

Amendments to , #e C laims; 

Please amend the claims as set forth below without prejudice. This listing of claims will 
replace all prior versions, and listings, of claims in the application: 

Listing of Ctefros; 

L (currently amended) A computer system for detecting and monitoring network intrusion 
events from log data received from network service devices in a computer network, the computer 
system having discrete modules associated with a function performed on the log data received, 
the computer system comprising: 

an event parser in communication with multiple network sendee devices , wherein t he 
Ijgl^lgsj^kLdeyicj^^ from a group comprising a firewall, VPN (virtua l 

BOiatengiw^klsen'eT. or router, and e-mail server, the event parser being able to receive log 
data in real time from the device, the log data including information detailing a network intrusion 
event received from the network service device if an intrusion has occurred, the event parser 
being able to parse fee mmrmaiion to create corresponding event objects concerning the 
intrusion ^^^dsa^UMS^M^SXmmei in formation fields relevant to net work 
■*£Sg|&»torjn« a device and a time stamp: 

an event manager in communication with the event parser, the event manager being able 
to receive the event objects, fee event manager being configured to evaluate the event objects 
according to at least one predetermined threshold condition such that, when the event objects 
satisfy the predetermined threshold condition, the event manager designates the event objects to 
be broadcast in real time; 

an event broadcaster in communication with the event manager for receiving event 
objects designated by the event manager for broadcast, the event broadcaster being able to 
transmit the event objects in real time, relative to the receipt of the log data, as an intrusion 
alarm; and 

means for alerting the user that a network intrusion event has occurred. 

2. (original) The computer system of claim 1 wherein the means for alerting the user that a 
network intrusion event has occurred is a graphical user interface in communication with the 
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^ v en pus i d js)ja screen for displaying an 

~ ^ ne \ uniK otc^ x i ding event object received 



^ ^ en of c «.n2 v v. einthe graphic user 
r at i i u s rd rt mputer system further 

n ° < » oudLJ to m event parsers; 

1 <• «■ ^ t te ihv rc U/it serviet for recalling stored 
^ <• 1 * r <> i r graphi*. sr cface and displaying recalled 
^ t i. sspl v s reen 
" r * 1 5 13 smlt r oj i 'mg and processing user 
5 o das t object aid 

,.ri if oi pone ai \ oldm„ stored event objects, fee 
? b v ^ -s u t to seaa ics executed by the application 

4 , (Previously presented) The computer system of claim 1 further comprising:' 

a network port to receive log data having a conforming message format from at. least one 

network service device; 

means for transmitting the log data having a conforming message format to the event 

parsers, said means coupled to the network port; and 

a reporting agent coupled to the network port for col lecting log data having a non- 

conforming message format from the at least one network service device and converting the log 

data to a conforming message format, 

5 - (original) The computer system of claim 4 wherein the conforming message format is 

syslog. 

6. (original) The computer system of claim 2 wherein the graphical user interface display 
screen comprises an alarm console, coupled to the event broadcaster, configured to display 
intrusion alarms, and a report console, coupled to the report serviet, configured to execute 
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Attorney Docket No. 26836.701,201 
Application 09/640,606 
Response to 10/28/2005 Action 

queries input by a user and display results, wherein the alarm consols and event broadcaster are 
displayed simultaneously on the display screen. 

7. (original) The computer system of claim 6 wherein the report console is further 
configured to display query- result data in summary lines, said summary lines comprising 
hypertext links providing access to further data. 

8. (original } The computer system of claim 6 wherein the alarm console dispi ays intrusion 
alarms in summary lines, said summary lines comprising hypertext links providing access to 
further data. 

9. (original) The computer system of claim 6 wherein the graphical, user interface displays 
the status of network security devices in real time. 

1 0. (original) The computer system of claim 9 wherein the graphical user interface displays 
the status of network security devices in summary lines, said summary lines comprising 

hypertext links providing access to farther data. 

1 1. (original) The computer system of claim 10 wherein the graphical user interface displays 
the status of network security devices in a color coded format where said color designates a 
particular status level for the particular device. 

1 2. (original) The computer system of claim 6 further comprising a chat manager accessible 
to a user from the alarm console for executing electronic communications links between the user 
and others having ax? electronic communications link to the computer system. 

; 3. (original) The computer system of claim 1 2 wherein the electronic communications link 
is an on-line link established through a web browser interface. 

1 4. {original) The computer system of claim i further comprising a plurality of event parsers 
wricrsm each event parser is configured to receive log data from a predetermined network 
service device, the plurality of parsers each coupled to the event manager. 
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Application 09/640,606 
Response to 10/28/2005 Action 

15. (original) The computer system of claim I wherein the information contained within the 
event object is read by the event manager and assigned a severity level corresponding to the 
event type information contained within the event object, and the predetermined threshold 
condition is the assigned severity level, 

1 6. (Previously presented) The computer system of claim 1 5 wherein the severity level is one 
of sever; categories for types of events contained within event objects, 

1 7. (original) The computer system of claim i further comprising an event aggregator 
module and wherein the event parser is housed within the event aggregator module, and log data 
from a multiplicity of network device sources is received by the event parser. 

1 S. (original } The computer system of claim 1 7 wherein the event parser reads log data 
posted in extensible markup language, 

1 9. (Previously presented) The computer system of claim 3 wherein the computer system is 
onc of a multiplicity ofcorapuier systems each having a graphic user interlace and the computer 
system further con-prises a central graphic user interface which accesses at. least one of the 
graphic, user interfaces of the multiplicity of computer systems. 

20. (original} The computer system of claim 1 9 wherein the central graphic user interface 
accesses at least one of the report aervfcts of the multiplicity of computer systems and 
communicates with at least cue of the databases of the multiplicity of computer systems. 

2 i . (ongmai) 1 fie computer system of claim I further comprising means for filtering event 
ohj eels received by the event manager according to one or more predetermined conditions so as 
to restrict the field of event objects designated for broadcast. 

22. (original) The computer system of claim 4 further comprising means for filtering log data 
received at the network port according to one or more predetermined conditions so as to restrict 
receipt of corresponding log data by said transmitting means. 
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Application 09/640,606 
Response to 10/28/2005 Action 

23. (origmai.} The computer system of claim 21 wherein die predetermined conditions arc 
application .name, host name, event severity, interna! device alarm identifications, source 
address, destination address, destination port, and protocol. 

24. (original) The computer system of claim 22 wherein the predetermined conditions are 
application name, host name, internal device alarm identifications, source address, destination 
address, destination port, and protocol 

25. (currently amerced) A method for detecting and monitoring network intrusion events 
irom log data received from network service devices in a computer network comprising the steps 

receiving log data, in real time, the log data including information detailing at least one 
network intrusion event received from the network sendee devices, wherein the network service 
devices comprise a device from a group comprising a firewall, VPN (virtual private network) 
server or router, and e-mail server; 

parsing the log data information to create corresponding event objects , wherein as. event 
2M<^.lQm^.^Mo|IMlimSMs.^levaiU to network security monitor ing including at least 
jfifonpatfon regardi ng resorting a device and a time stamn; and 

evaluating the event objects according to at least one predetermined threshold condition; 

where the information contained within the event objects satisfies the predetermined 
threshold condition, broadcasting the event object as an intrusion alarm in real time, relative to 
the receipt of the log data, to a display screen on a graphic user interface. 

26. (Previously presented) The method of claim 25 wherein the graphic user interface is 
configured to allow a user to initiate queries, and the method further comprises fee steps of: 

storing event objects to a database accessible by an application reporter, the database tor 
holding stored event objects, arid the database configured to recall event objects in response to 
searches performed by the application reporter in response to user queries; and 

recalling stored event objects in response to user queries from the graphic user interface 
and displaying recalled event objects on the graphic user interface display screen. 

27. (Previously presented) The method of claim 26 further comprising the steps of: 
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receiving log data in a conforming message format at a network port; 

transmitting the log data in a conforming message format to event parsers; 

collecting log dais in a non-conforming message format by executing a reporting agent; 

and 

converting the log data to a conforming message format. 

28. (original) The method of claim 27 wherein the conforming message format is sysiog. 

29. (original) The method of claim 25 wherein the event object intrusion alarm is displayed 
as a hypertext link to further event object information and the method further comprises using a 
display screen interface device to open the hypertext link to reveal further event object 
information on at least one successive display screen frameset. 

30. (original) The method of claim 26 wherein the stored event object is displayed as a 
hypertext link to further event object information and the method farther comprises using a 
display screen interface device to open the hypertext link to reveal further event obiect 
information on at least one successive display screen frameset. 

3 1 . (orig-nai) The method of claim 25 further comprising the step of filtering log data 
received according to one or more predetermined conditions so as to restrict the receipt of 
corresponding log data. 

32. (original) The method of claim 3 1 wherein the predetermined conditions are application 
name, host name, internal device alarm identifications, source address, destination address, 
destination port, and protocol. 

33. {.Previously presented.) The method of claim 25 further comprising the step of opening an 
electronic communications link to other users on the computer system. 

3 4. (original) The method of claim 33 further comprising the step of sending an electronic 
message over the communications link to other users regarding an intrusion alarm. 
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35, (currently amended) A computer system for detecting and monitoring network intrusion 
events fxom log data received iron- network service devices in a computer network, the computer 
system having discrete modules associated with a function performed on the log data received, 
the computer system comprising: 

an event parser in communication with multiple network service devices, wh erein the 
Aietwj^ssgics. devices c omprise a device from a g ro up comprising a firewall. VPN (vir tual 
priv ate network) serv er or route;, mm^^ the event parser being able to receive log 

data in real time from the devices, the log data including information detailing a network 
intrusion event received from the network service devices if an intrusion has occurred, the event 
parser being able to parse the information to create corresponding event objects concerning the 
intrusion ev^is ± wher ein an event object comprises info rmation fields relevant to netwo rk 
ggSBriiOBflB^ infor mation regarding reporting a device and a time stamp : 

an event aggregator, the event aggregator being able to filter the event objects based on 
event type and seventy; . 

^ - - ' ^ ^ r civp^itht l t>en a tv _R ic ibc^ a w gv - t i 
c ^ ndia^roei go ilgi ^ u, s ak^te k >^e 

c 0 V ^ ^ ^ >-^> ~- xcu 1 e^io o iA.Tditon sue i f a% s e„ mcve^vh v 
v s ^ l ^ ^ * e c.v'VvlixOn ti-'e «\ e^>t Ucnaet dc c c^smv'w toox e 

an event broadcaster in communication with the event manager for receiving event 
objects designated by the event manager for broadcast, the event broadcaster being able to 
transmit the event object in real time, relative to the receipt of the log data, as an intrusion alarm; 

and 

means for alerting the user that a network intrusion event has occurred. 

3 6. (currently amended) A method for detecting and monitoring network intrusion events 
from log data received from network service devices in a computer network, wherein the 
network service devices comprise a device from a group comprising a firewall, VPN (virtual 
private network) server or router, and e-mail server comprising the steps of: 
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receiving log data in real time from multiple network security devices, the log data 
including information detailing at least .network intrusion events received from She network 
service devices; 

Vising the log data information to create corresponding event objects, wherein an event 
<feLVQirm relevan t to network security monitoring including at least 

Mms&mism&m, re porting a device and a time stamp: 

filtering the event objects based on event type and severity; and 

evaluating the event objects according to at least one predetermined threshold condition; 

where the information contained within an event object satisfies the predetermined 
threshold condition, broadcasting the event object as an intrusion alarm in real time, relative to 
the receipt of the log data, to a display screen on a graphic user interface. 

37. (new) The method of claim 1 , wherein an event object comprises application. 

3 8 . (new) The method of claim 1 , wherein an event obj ect comprises event time stamp. 

39. (new) The method of claim 1, wherein an event object comprises application time stamp. 

40. (new) The method of claim 1 , wherein an event object comprises an address associated 
with the event. 

4 1 . (new) The method of claim 1 , wherein the address comprises a source IP address of the 
event, 

42. (new) The method of claim .1 , wherein an event object comprises an event duration. 

43. (new) The method of claim 2, wherein an identification number assigned by the reporting 
device. 



Page 9 of 16 



Attorney Docket No. 26836.701.201 
Appiicata 09/640,606 
Response to 10/28/2005 Actios 

REMARKS/ARGUMENTS 

This Amendment is in response to the Office Action mailed on October 18, 2005 ("Office 
Acjon"). Claims 1-36 were rejected. Review and reconsideration arc requested in view of the 
following remarks. Additionally, Applicants have amended claims 1, 25, 35 and 36, and have 

added new claims 37-43. 

EMjgiaer Interview 

Applicants thank the Examiner for the courtesy extended to the Applicants' 
representative in granting a telephonic interview, which took place April 13, 2006. Applicants' 
representative explained that the invention is not anticipated or rendered obvious by the 
reference Campbell and Orchief. li was explained that the references fail to teach the event 
■ parser m communication with multiple network service devices. It was discussed that the 
Campbell reference tails to teach such an approach and is directed to monitoring of hosts. Claim 
25 was discussed, which has language regarding a firewall, VPN server or .router and e-mail 
server. 

I; was pointed out that claim 1 teaches an event broadcaster being able to transmit event 
objects in real lime, while in contrast Campbell teaches shared data structures and transmitting a 
warning message. It was explained that Campbell does not teach the claimed transmission of 
event objects in real time, as an intrusion alarm as claimed in claim 1 . 

Applicants explained that the claims would be allowable over the cited references without 
amendment. However, in order to expedite processing of claims to allowance, Applicants 
indicated that an amendment may be submitted. 

tegjjmeMfilCIMms U 25, 35 and 36 under 35 U.S.C. § 102(e); New Claims 37-43 
tt is beheved that the claims would be allowable over the cited references without 
amendment for the reasons set forth below. However, in order to expedite processing of claims 
to allowance, Applicants have mads certain amendments to the claims without prejudice as set 
forth above. Applicants reserve the right to pursue the claims in their unamended form in a 
continuation application. 
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Ncvv' claims 37-43 have been added in order to more fully claim embodiments of 
Applicants' inversion. Review and approval are respectfully requested. 

ReiecooB of Claims L 25. 35 and 36 under 35 U.S.C. $ 102(e) 

Claims 1, 25, 35 and 36 were rejected under 35 U.S.C. § 102(e) as being anticipated by 
US Patent No. 6,839.850 (Campbell). Applicants respectfully traverse the rejection. 

The Office Action argues that Campbell reaches the claimed event parser in 

communication with multiple network service devices, pointing to Campbell, column 5, lines 35- 

4! and column 12, lines 58-67. Such column 5, lines 35-41 teaches & Si&W engine usable in 

com unction with audit agents. However, there is no teaching of the claimed event parser in 

communication with multiple network service devices . Campbell discloses "network devices," 

lor example as follows: 

FIG. i is u block diagram illustrating an exemplary computer network 1 00 including a 
Polity of network devices on which an embodiment of the .invention can be use&The 
r^f^^SS^m^^.^kes such as hosts, servers, workstatio ns, and perennal 
compuierc.X?Cj0. The present invention is usable or such networks us ARCnet, Ethernets 
and Token-Ring networks, wireless networks, among other networks. The network 100, 
in this example, has a central network cable 102, also known as media, which may be of 
any known physical configuration including unshielded twisted pair (UTP) wire, coaxial 
cable, shielded twisted pair wire, fiber optic cable, and the like, Alternatively, the 
network devices could eomniunicate across wireless links. 

Campbell, column 7, line 65 - column S, line 11 (emphasis added). As shown above, in 
Campbell 'The network devices include devices such as hosts, servers, workstations, and 
personal computers {PCs}." Thus, Campbell fails to teach the claimed event parser in 
communication with multiple network service devices. 

Additionally, regarding claim 1, the Office Action argues that Campbell teaches an event 
broadcaster being able to transmit event objects in real time, relative to the receipt of the log 
data, as an intrusion alarm. It is believed that Campbell does not teach the claimed approach. 
Campbell does teach shared data structures. Campbell also teaches causing a warning message 
to be displayed when a warning is produced by the analysis functions. See for example, 
Campbell, column 12, line 47-53. However, such teaching does not teach or suggest the 
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claimed approach of as event broadcaster being able to tra nsmit event obje cts In real time, 
relative to the receipt of the log data, as a n intension alarm . 

Weight must be given to all the elements of the claim. See MPE? 2131 (regarding 
Anticipation - Application of 35 USC 1 02(a), (b), and (e), subsection entitled 'To Anticipate a 
Claim, the Reference Mast Teach Every Element of the Claim"), which slates: 

A elatm is anticipated only if each and e very element as set forih in the cla im is found, 




either expressly or inherently described, in a single prior an reference. 

(Emphasis added,) As shown above, elements of claim 1 are not found in Campbell Thus, for 
the reasons discussed above, it is believed that anticipation of claim 1 has not been established 
and that the rejection should be removed. 

Claims 25, 35 and 36 were rejected under 35 U.S.C. § 1 02(e) based on similar reasoning 
as io claim L It. is therefore believed thai the rejection of such claims has also been overcome. 

MMMMCjalms 1 i-IQ, 12 -15, 17-22, 25-31, 33 and 34 under 35 U.S.C S 103(a) 

Claims 1 -10, 12-15, 1 7-22, 25-31, 33 and 34 were rejected under 35 U.S.C. § 103(a) as 
being unpatentable over prior art of record, US Patent No. 6,070,244 (Orchier) and further in 
view of Campbell. Applicants respectfully traverse the rejection. 

1 lie Office Action recognizes thai Orchier fells to teach transmitting the claimed event 
object in real time, relative to receipt of the claimed log data, as an intrusion alarm. However, 
the Office Action looks to Campbell for this deficiency arguing that it would be obvious to 
combine Campbell vith Orchier. Applicants disagree. 

Campbell docs not teach the claimed approach of transmitting the claimed event object in 
real time, relative to receipt of the claimed log data, as an intrusion alarm. As discussed above, 
Campbell docs teach shared data structures, and Campbell also teaches causing a warning 
message to be displayed when a warning is produced by the analysis functions. See for example, 
Campbell, column 12, line 4*?-53. However, such teaching does not teach or suggest the 
claimed approach of an event broadcaster being able to transm it eve nt objects in real time, 
relative to the receipt of the log data, as a n intrusion alarm. 
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Thus, even m combination, the references fail to teach or suggest the invention as 
claimed in claim 1 . Therefore, it is believed that prima facie obviousness has not been 
established regarding claim 1. in view of the cited references. See MPEP 2143,03: 

To establish pnma focjg obviousness of a claimed invention, all the claim lim i tations 
mast be taught or suggested by the prior art. 

(emphasis added). As show;- above, not all the limitations are taught or suggested by the cited 
references, even in combination, Therefore, it is believed that the rejection should be removed. 

Additionally, it is believed that one of ordinary skill in the art would not be motivated to 
modify Orchier to transmit the claimed event object in real time, relative to receipt of the 
claimed log data, as an intrusion alarm. Rather, Orchier teaches away, from such a modification 
in view of Campbell See MPEP 2141.02: 

A prior art reference must be considered in its entirety, i.e., as a whole, including porti ons 
that would lead away from the claimed invention. 

(emphasis added). Orchier teaches a batch approach with actions at scheduled intervals. See for 
example, Figures 4b, 4c, and 4e of Orchier, which refer to actions taking place at a designate d 
tune of day. Thus, Orchier is teaching a bateh approach, rather than a real time approach. See 
also Orchier, column 1 1, lines 4-6, which refer to steps including scheduling the starting of the 
program at a designated time of day. Thus, one skilled in the art would not be motivated to 
modus Orchier in order to transmit the claimed event object in real time, relative to receipt of the 
claimed leg data, as an intrusion alarm, since such a goal is contrary to the teaching of Orchier. 
See MPEP 2143.01: 

ff the proposed modification or combination of the prior art would change the p rinciple of 
deration of the prior an invention being modified, then the teachings of the references 
are not sufjjeiem to render the claims prima facie obvious, 

(emphasis added). Therefore, tor this additional reason Orchier and Campbell tail to render the 
invention of claim 1 obvious and it is believed that the rejection of claim 1 should be removed. 
Accordingly, removal of the rejection of claim 1 is respectfully requested. 
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Claim I also refers to intrusion events from log data received from net work serv ices 
teSfi?. in a computer network. Orchier does not provide teaching or suggestion of handling of 
network intrusion events from log data received from network services devices as claimed in 
claim 1. For this additional reason, it is believed that the rejection of claim 1 should be removed. 

Claims 25, 35 and 36 were rejected under 35 U.S.C. § 103(a) based on similar reasoning 
as to claim i. it is therefore believed that the rejection of such claims has also been overcome. 

Rejection of Depeadeai Claims 

Use rejections of dependent claims in the present application are believed overcome 
based at least for the reasons as to their parent claims, as discussed above. Additionally, it is 
believed that such! claims are independently patentable. Applicants have also presented reasons 
for patentability of such claims in a previous response, and Applicants incorporate such reasons 
herein by reference. It is believed that the Office Action has not addressed Applicants' 
arguments as to patentability of such claims. 

For example, with respect to claims 7 and 30, the Office Action cites Orchier, column 13, 

lines 45-50 and Fig. Hb, "Note" for teaching a report console further configured to display query 

result data and summary lines, said summary lines comprising h yp ertext links providing access 

jojather data. Office Action at page 1 1 (emphasis added). The cited text of Orchier does not 

appear to teach such an approach, including hypertext links providing access to further data. 

leather, such portion of Orchier provides: 

[Both] standard and ad-hoc queries are supported by the software implementation 
of the agent 82. The query agent 82 has been reduced to practice in a form that 
uses an Internet-Intranet technology, i.e. a web browser, to allow access with a 
minimum of connectivity and software distribution problems. Any querv tools 
that handles Sybase™ could be used [in the implementation. ] 

Orchier, column 13, Lines 45-50. The use of Internet/Intranet technology, i.e., a web browser, as 
disclosed in Orchier fails to teach the particular use of summary lines comprising hy perte xt links 
providing aKess.tpJirtfiexdaia. Such teaching of such a particular approach is not present in the 
general discussion of mtemef/Imrariet technology or a web browser. Thus, it is believed the 
rejection with respect to claims 7 and 30 should be removed, and such action is respectfully 
.requested. The current Office Action has not addressed Applicants' arguments m this regard. 
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Claim 9 was rejected citing column 2, lines 30-35 Orchier for teaching a graphics] user 

interface displaying the status of network security devices in real time. Office Action at 11. It is 

believed thai such interpretation of Orchier is incorrect. The cited portion of Orchier, provides: 

The technology independent layer handles the main functionality of the system; 
locating terminating employees, auditing system and user data, monitoring 
security events (e.g. failed login attempts), automatically initiating corrective 
action, interlacing with the system users, reporting, querying and storing of 
collected data. 

Orchier, column 2, lines 30-35. Such description fails to teach a graph ical user interface 
displaying the status of network security devices in real time. In fact, the cited portion of 
Orchier is directed to a layer of a layered software architecture. The cited portion is related to a 
technology independent layer of the software. This general discussion fails to teach a gr aphica l 
My!.!«terfece to explain the status of network security devices in real time. The current Office 
Action has not addressed Applicants 7 arguments in this regard. 

Claims 1 2, 33 and 34 were rejected based on a citation of Orchier, column 1 3. lines 1 0- 1 5 
and column 14, lines 5-10, for a teaching of a chat manager accessible to a user from an alarm 
console for executing electronic communications links between the user and others having an 
electronic communication link to the computer system. Office Action at 12. The cited 
description of Orchier fails to teach a cha t manager . The cited portion of Orchier provides: 
. . . of certain key security or operating system files within any one of the security 
domains 70a-70n. The alert agent 80 automatically notifies appropriate personnel 
by e-mail phone and/or pager. This is indicated by the alarm arrow 81 in Fig. 3b. 
The alert agent 80 is unique in that it is able to monitor across dissimilar 
environments, . . . 

Orchier, column 1 3, lines 10- 1 5. Applicants fail to find any teaching of the chat m ana ger. A 
SkCmanager does not follow from teaching of notification by email, phone and/or pager. 
Therefore, it is believed that the rejection of claims 12, 33 and 34 is in error and should be 
removed. Such action is respectfully requested. The current Office Action has not addressed 
Applicants"' arguments in this regard. 

Tims, for the reasons set forth above, it is believed that the rejection of tire dependent 
claims in the application should also be removed. 
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CONCLUSION 

Applicants submit thai the iasiani application is in condition for allowance. Should the 
Examiner have any questions, the Examiner is requested to contact the undersigned attorney. 

The Commissioner is authorized to charge any additional fees which may be required, 
including petition lees and extension of time fees, to Deposit Account No. 23-241 5 (Docket No. 

26836.701.201). 

Respectfully submitted, 

WILSON SONSINI GOODRICH & ROSATI 



Date: April 17. .2006 




650 Page Mill Road 
Palo Alto, CA 94304 
(650)493-9300 
Customer No, 021971 



2S0;28!_: DOC 



Page 16 of 16 



